Kms
Key Management Service (KMS) for gllm_datastore.
BaseKeyManagementService
Bases: ABC
Abstract base class for Key Management Service implementations.
This interface defines the contract for KMS implementations that handle data encryption key (DEK) management and encryption/decryption operations.
decrypt(ciphertext)
abstractmethod
Decrypt ciphertext data.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
ciphertext
|
bytes
|
The encrypted data to decrypt. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
bytes |
bytes
|
The decrypted data. |
Raises:
| Type | Description |
|---|---|
NotImplementedError
|
If the method is not implemented by the subclass. |
decrypt_dek(encrypted_dek)
abstractmethod
Decrypt an encrypted Data Encryption Key (DEK).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
encrypted_dek
|
bytes
|
The encrypted data encryption key. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
bytes |
bytes
|
The decrypted data encryption key. |
Raises:
| Type | Description |
|---|---|
NotImplementedError
|
If the method is not implemented by the subclass. |
encrypt(plaintext)
abstractmethod
Encrypt plaintext data.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
plaintext
|
bytes
|
The data to encrypt. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
bytes |
bytes
|
The encrypted data. |
Raises:
| Type | Description |
|---|---|
NotImplementedError
|
If the method is not implemented by the subclass. |
get_dek()
abstractmethod
Retrieve or generate a Data Encryption Key (DEK) and its encrypted form.
Returns:
| Type | Description |
|---|---|
tuple[bytes, str]
|
tuple[bytes, str]: A tuple containing (dek, encrypted_dek). |
Raises:
| Type | Description |
|---|---|
NotImplementedError
|
If the method is not implemented by the subclass. |
OpenBaoKeyManagementService(base_url, token, kek_name, mount_point, namespace=None)
Bases: BaseKeyManagementService
OpenBao implementation of Key Management Service.
This class provides KMS functionality using OpenBao's transit secrets engine for encryption operations and key management.
Attributes:
| Name | Type | Description |
|---|---|---|
base_url |
str
|
The OpenBao server base URL. |
token |
str
|
The authentication token for OpenBao. |
mount_point |
str
|
The mount point for the transit secrets engine. |
kek_name |
str
|
The name of the Key Encryption Key in OpenBao transit. |
namespace |
str | None
|
The OpenBao namespace. |
session |
Session
|
The HTTP session for API calls. |
Initialize the OpenBao KMS client.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
base_url
|
str
|
The OpenBao server base URL. |
required |
token
|
str
|
The authentication token for OpenBao. |
required |
kek_name
|
str
|
The name of the KEK in transit. |
required |
mount_point
|
str
|
The mount point for transit engine. |
required |
namespace
|
str | None
|
The OpenBao namespace. Defaults to None. |
None
|
__repr__()
Return string representation with masked token.
Returns:
| Name | Type | Description |
|---|---|---|
str |
str
|
String representation of the OpenBao instance. |
decrypt(ciphertext)
Decrypt ciphertext data using OpenBao transit.
Process: 1. Decode ciphertext from bytes 2. Prepare the API request 3. Decrypt using OpenBao transit API 4. Decode the plaintext from base64
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
ciphertext
|
bytes
|
The encrypted data to decrypt. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
bytes |
bytes
|
The decrypted data. |
Raises:
| Type | Description |
|---|---|
RequestException
|
If the data cannot be decrypted. |
decrypt_dek(encrypted_dek)
Decrypt an encrypted Data Encryption Key using OpenBao transit.
Process: 1. Prepare the API request 2. Decrypt using OpenBao transit API 3. Decode the plaintext from base64
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
encrypted_dek
|
bytes
|
The encrypted DEK to decrypt. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
bytes |
bytes
|
The decrypted DEK. |
Raises:
| Type | Description |
|---|---|
RequestException
|
If the DEK cannot be decrypted. |
encrypt(plaintext)
Encrypt plaintext data using OpenBao transit.
Process: 1. Encode plaintext to base64 for OpenBao 2. Prepare the API request 3. Encrypt using OpenBao transit API 4. Return the ciphertext as bytes
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
plaintext
|
bytes
|
The data to encrypt. |
required |
Returns:
| Name | Type | Description |
|---|---|---|
bytes |
bytes
|
The encrypted data. |
Raises:
| Type | Description |
|---|---|
RequestException
|
If the data cannot be encrypted. |
get_dek()
Generate a new Data Encryption Key (DEK) using OpenBao transit datakey.
This method uses OpenBao's transit engine to generate a plaintext DEK and its encrypted form in a single operation.
Process: 1. Generate DEK using OpenBao transit datakey endpoint 2. Extract plaintext and encrypted DEK from response
Returns:
| Type | Description |
|---|---|
tuple[bytes, str]
|
tuple[bytes, str]: A tuple containing (plaintext_dek, encrypted_dek). |
Raises:
| Type | Description |
|---|---|
RequestException
|
If the DEK cannot be generated. |